palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add mobi and it works

Browse source
This commit is contained in:
Ingolf Wagner 2022-09-23 20:29:18 +02:00
parent 9964d154d4
commit f771aa24bf
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
23 changed files with 278 additions and 146 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
flake.lock
View file

@ -3,7 +3,7 @@
"barcode-reader": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1636602745,
@ -38,16 +38,18 @@
"inputs": {
"flake-compat": "flake-compat",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": "nixpkgs",
"nixpkgs": [
"nixpkgs"
],
"stable": "stable",
"utils": "utils"
},
"locked": {
"lastModified": 1661669123,
"narHash": "sha256-nXslD8Sbs6G9/MN7HOr+YrBCCmUdS/MpEuxJGlWeSgM=",
"lastModified": 1663742427,
"narHash": "sha256-1gcXLVbZRVbRfNo6bHemNxdnEBgs6W0QPw675/uso3w=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "e7356e2c5cbc19be6e04d284c943b24bbde81a9b",
"rev": "a8e6b999cfec9fadc2ca81994da44182e73be7eb",
"type": "github"
},
"original": {
@ -546,16 +548,15 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1660485612,
"narHash": "sha256-sSLW1KaB1adKTJn9+Ja3h3AaS7QCZyhUKiSUStcLg80=",
"owner": "NixOS",
"lastModified": 1636416043,
"narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6512b21eabb4d52e87ea2edcf31a288e67b2e4f8",
"rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
@ -615,21 +616,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1636416043,
"narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1661700591,
"narHash": "sha256-NZa+z+TJC+Hk+87+LKkjFFmBn4GyMVEPcWFXFU+aTkU=",
@ -645,7 +631,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_3": {
"locked": {
"lastModified": 1632855891,
"narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=",
@ -659,7 +645,7 @@
"type": "indirect"
}
},
"nixpkgs_5": {
"nixpkgs_4": {
"locked": {
"lastModified": 1661353537,
"narHash": "sha256-1E2IGPajOsrkR49mM5h55OtYnU0dGyre6gl60NXKITE=",
@ -774,7 +760,7 @@
"polygon-art": {
"inputs": {
"flake-utils": "flake-utils_6",
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1632864714,
@ -833,7 +819,7 @@
"home-manager": "home-manager",
"home-manager-utils": "home-manager-utils",
"krops": "krops",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"nixpkgs-fmt": "nixpkgs-fmt",
"nixpkgs-unstable": "nixpkgs-unstable",
"polygon-art": "polygon-art",
@ -878,11 +864,11 @@
"secrets": {
"flake": false,
"locked": {
"lastModified": 1663688404,
"narHash": "sha256-eGKtvyakb/6jncb5oQXa0c6usLvQ8DMDjr5LtBbpdzY=",
"lastModified": 1663876023,
"narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=",
"ref": "main",
"rev": "43bc5b41992e585f8b02a18c66b478fd165ed817",
"revCount": 36,
"rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612",
"revCount": 38,
"type": "git",
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
},
@ -910,7 +896,7 @@
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_4",
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {

25
flake.nix
View file

@ -14,7 +14,10 @@
};
# colmena
# -------
colmena.url = "github:zhaofengli/colmena";
colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
polygon-art = {
url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
@ -157,7 +160,7 @@
sterni = { name, nodes, pkgs, ... }: {
deployment.allowLocalDeployment = true;
deployment.targetHost = "${name}.private";
deployment.tags = [ "desktop" "online" ];
deployment.tags = [ "desktop" "online" "private" ];
imports = [
grocy-scanner.nixosModule
];
@ -186,7 +189,7 @@
pepe = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}.private";
deployment.tags = [ "server" "online" ];
deployment.tags = [ "server" "online" "private" ];
imports = [
grocy-scanner.nixosModule
];
@ -194,10 +197,22 @@
robi = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}";
deployment.tags = [ "server" "online" ];
deployment.tags = [ "server" "online" "private" ];
imports = [ ];
};
mobi = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}.private";
deployment.tags = [ "desktop" "usb" "private" ];
imports = [
grocy-scanner.nixosModule
];
home-manager.users.mainUser = {
imports = [
doom-emacs-nix.hmModule
home-manager-utils.hmModule
];
};
};
};
};
}

13
images/lib/remote-access.nix
View file

@ -97,16 +97,19 @@
config =
let
torDirectory = "/var/lib/tor";
hiddenServiceDir = torDirectory + "/liveos";
hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
in
{
services.tor = {
enable = true;
client.enable = true;
extraConfig = ''
HiddenServiceDir ${hiddenServiceDir}
HiddenServicePort 22 127.0.0.1:22
'';
relay.onionServices.hidden-ssh = {
version = 3;
map = [{
port = 22;
target.port = 22;
}];
};
};
systemd.services.hidden-ssh-announce = {
description = "irc announce hidden ssh";

0
nixos/assets/ssh/card_rsa.pub → nixos/assets/ssh/palo_rsa.pub
View file

24
nixos/assets/tinc/mobi_host_file
View file

@ -1,14 +1,14 @@
Ed25519PublicKey = 94CccmfAuNtQzopd5NiVYjTjZvSgabMh66BI/iyVmnJ
Ed25519PublicKey = X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA8m9cBRv+9K8ywH19CZKDidwmzEa+2j3rkFjek+uPLVCHX5FlVQv+
flX5fY06DuaPzWKf4MoXHxmVa9T/WOcKZJUmhSJC2AVorhuPihOx0FNrQr69bamy
x03fiH0pHmDXumNdGMUcNf+06Zu2Nr9yze8rE1B97zb0RPBf+XC1uHw4E4PrWC/F
swibj9U45bp07wFvJrkAsngw4c6+TFERW6TK5DPKDQs7KfgdsqFGLvg2cY5phwC1
08HBC7eTf2xG6paaS7gEbhDMQ/K47Lbhbv2srnYfaBw5iyc8f29ZwEuNfE4V15B3
foz/kGAhceTuBKNCVvKvqSIL2yEsibFVyl7zlgGp3EKWuR5ETQAspJViGILwiyq6
iRYQ1AxxyroqS146CUAB8/68w0PwroKt8lXMEtx58S7/OAW0KnXGxwqSfocH+iE4
qry9pPuSs7RR6lXBB0nvSfTbaZDMUXtiyV24+pyZgl5Q31kDgUWgFpzGRBc/CTO2
h8OmUcvEyLxh3bruu0SQGXa35G1Igsumuh/uLifgHB/odLYY00PhEdpp52BswgXe
yz88nfXMOyvm7ROEyA7r2qruM1kEHDSQ8IRuxhd8YebyI7k6mYVE8CR5T89QfVl3
mrNk+f6Q/cpFiNBxr7+UBCiHix3/GDAD4NEgvu5nfqinTA34FuscTS8CAwEAAQ==
MIICCgKCAgEAxubIDrvtrZ6fKPkuwQ+sK6YlToTfVtg3HCTOR7iDf47arkuG3dTb
BgnkbB/8+KzztaYLQoLnGFugxKKtMGBvMGCo6YLtxrjuaz3aDmhpmGCJh80r80/i
8WWg1CAkboKHmaiFpS/LBxAWQUGP+YJSoTLuDwtd794wX9MxLh4x5uGRp4rCj9+4
DdGemLZkZz6Je+cBkf8qrw1Dr8CPiJk47a7bZhyKVnQ3PyvrGOjFolfcI22xp8j3
7y55DIMWhVsm6EWFK4/pzAqi9JdRd7xy8c9WRIcAHJDlSdf+ERbIjUDJC8fgMlNl
UII0SqLnBscIbqz2dMuoldeqg9S1fOiTekReLJqpLmAIn+iwpT8KW5QaESu2eh6M
Ok0sJ8A+aphuZ+FDd2FUmWQiENnPzFGYQ/SuNAA7hR5plSCbjpodulNQFY93I8y3
vRru6rm/ac+7SehWPBgHGl12UJluvHn32Q85bJ2vdtn9ONgcOdjSLA58nzfc1hv/
OA5MzIJTvDJqwjZew8A/pyz6kxrGBqnXCzzt46tvj0yZ/VhIgL3qDTR/wzRV3N14
3Z7TToIQKBPSYNxxCEHXxVQb8oWdGzeE7X52iFeYKhxj+ikZxkoXhCgIRYrDBQ0k
lnpJU+fbeFddZ4bAdqPxVT+perK33Wzgp9s4+KLh8ldpcRm8S29sNIcCAwEAAQ==
-----END RSA PUBLIC KEY-----

62
nixos/machines/mobi/configuration.nix
View file

@ -2,19 +2,26 @@
imports = [
<system/desktop>
../../system/desktop
./hardware-configuration.nix
./tinc.nix
./syncthing.nix
];
system.custom.wifi.interfaces = [ ];
networking.hostName = "mobi";
security.wrappers = {
pmount.source = "${pkgs.pmount}/bin/pmount";
pumount.source = "${pkgs.pmount}/bin/pumount";
pmount = {
source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
};
# fonts
@ -28,5 +35,46 @@
height = 768;
};
# grub configuraton
# -----------------
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.efiInstallAsRemovable = true;
boot.tmpOnTmpfs = true;
networking.networkmanager.enable = true;
networking.hostName = "mobi";
# Set your time zone.
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
vim
wget
htop
silver-searcher
];
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
services.openssh.enable = true;
desktop.ssh.onlyTinc = false;
users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

75
nixos/machines/mobi/hardware-configuration.nix
View file

@ -1,58 +1,47 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# efi boot loader configuration using grub
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.grub = {
device = "nodev";
efiInstallAsRemovable = true;
efiSupport = true;
enable = true;
version = 2;
};
fileSystems."/share/" = {
device = "/dev/ram1";
fsType = "tmpfs";
};
# NTFS support
# ------------
environment.systemPackages = [ pkgs.ntfs3g ];
# lvm volume group
# ----------------
boot.initrd.luks.devices = {
mobi = {
device = "/dev/disk/by-uuid/e138095f-c703-4dea-bb1c-bf888b8e1b81";
preLVM = true;
fileSystems."/" =
{
device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5";
fsType = "ext4";
};
};
# root
# ----
fileSystems."/" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/mobi/root";
fsType = "ext4";
};
boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c";
# boot
# ----
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/064D-3144";
fsType = "vfat";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/AEE5-221F";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
# networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

42
nixos/machines/mobi/syncthing.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true;
folders = {
# on encrypted drive
# ------------------
private = {
enable = true;
path = "/home/palo/private";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
};
};
system.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
}

2
nixos/machines/pepe/borg.nix
View file

@ -8,7 +8,7 @@
authorizedKeys = [
# todo rename
(lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub)
(lib.fileContents ../../assets/ssh/palo_rsa.pub)
];
};
};

4
nixos/machines/pepe/syncthing.nix
View file

@ -43,6 +43,10 @@
enable = true;
path = "/home/syncthing/private";
};
password-store = {
enable = true;
path = "/home/syncthing/password-store";
};
desktop = {
enable = true;
path = "/home/syncthing/desktop";

2
nixos/machines/robi/borg.nix
View file

@ -6,7 +6,7 @@
allowSubRepos = true;
authorizedKeys = [
(lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub)
(lib.fileContents ../../assets/ssh/palo_rsa.pub)
];
};
};

35
nixos/machines/robi/nginx.nix
View file

@ -53,27 +53,28 @@ in
alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key);
};
"= /palo_rsa.pub" = {
alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/card_rsa.pub);
alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/palo_rsa.pub);
};
} // error.locations;
};
"stable-diffusion.ingolf-wagner.de" = {
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
root = "/srv/www/stable-diffusion";
locations = {
"/model-v1-4.ckpt" = {
basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
};
#"/model-v1-3.ckpt" = {
# basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
# tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
#};
} // error.locations;
};
# "stable-diffusion.ingolf-wagner.de" = {
# forceSSL = true;
# enableACME = true;
# extraConfig = error.extraConfig;
# root = "/srv/www/stable-diffusion";
# locations = {
# "/model-v1-4.ckpt" = {
# basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
# tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
# };
# #"/model-v1-3.ckpt" = {
# # basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
# # tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
# #};
# } // error.locations;
# };
"travel.ingolf-wagner.de" = {
forceSSL = true;
enableACME = true;

3
nixos/machines/sterni/configuration.nix
View file

@ -12,11 +12,14 @@
#./wifi-access-point.nix
#./wireshark.nix
./scanner.nix
./qemu.nix
];
services.nginx.enable = true;
#sops.defaultSopsFile = ../../secrets/sterni.yaml;
networking.hostName = "sterni";

17
nixos/machines/sterni/qemu.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
}

4
nixos/machines/sterni/syncthing.nix
View file

@ -16,6 +16,10 @@
# on encrypted drive
# ------------------
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
private = {
enable = true;
path = "/home/palo/private";

2
nixos/modules/system/audio.nix
View file

@ -104,7 +104,7 @@ in
enable = true;
package = pkgs.pulseaudioFull;
# all in audio group can do audio
systemWide = true;
systemWide = false;
extraConfig = ''
# automatically switch to newly-connected devices
load-module module-switch-on-connect

2
nixos/system/all/borg-scripts.nix
View file

@ -7,7 +7,7 @@
"borg-${command}-on-${host}-for-${repository}" ''
${pkgs.borgbackup}/bin/borg \
${command} \
--rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
--rsh='ssh -i ~/.ssh/palo_rsa.pub' borg@${host}.private:${repository}/. \
"$@"
'';
hosts = [ "pepe" "robi" ];

4
nixos/system/all/sshd-known-hosts-private.nix
View file

@ -36,7 +36,7 @@
config.module.cluster.services.tinc.private.hosts.sterni.tincIp
config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
};
"pepe.private" = {
hostNames = [
@ -51,7 +51,7 @@
"mobi.private"
config.module.cluster.services.tinc.private.hosts.mobi.tincIp
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
};
};
}

2
nixos/system/all/sshd.nix
View file

@ -11,7 +11,7 @@ with lib;
tools.enable = true;
sshd = {
enable = true;
rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ];
rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
};
};

17
nixos/system/all/syncthing.nix
View file

@ -25,11 +25,11 @@ with lib; {
// (device "workhorse" "AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI")
// (device "pepe" "SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG")
// (device "sterni" "ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD")
// (device "mobi" "NGI7UN6-MR2YPYI-L7DGN3I-JFZU2N3-RJBJV6K-2VZVQSJ-PWLZYOK-PXZYRAF")
// {
bumba = {
name = "windows-bumba";
id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ";
#addresses = [ "dynamic" ];
};
}
// {
@ -47,7 +47,16 @@ with lib; {
private = {
enable = lib.mkDefault false;
watch = lib.mkDefault false;
devices = [ "pepe" "sterni" ];
devices = [ "pepe" "sterni" "mobi" ];
versioning = {
type = "simple";
params.keep = "10";
};
};
password-store = {
enable = lib.mkDefault false;
watch = lib.mkDefault false;
devices = [ "pepe" "sterni" "mobi" ];
versioning = {
type = "simple";
params.keep = "10";
@ -56,12 +65,12 @@ with lib; {
desktop = {
enable = lib.mkDefault false;
watch = lib.mkDefault false;
devices = [ "pepe" "sterni" ];
devices = [ "pepe" "sterni" "mobi" ];
};
finance = {
enable = lib.mkDefault false;
watch = lib.mkDefault false;
devices = [ "pepe" "sterni" ];
devices = [ "pepe" "sterni" "mobi" ];
versioning = {
type = "simple";
params.keep = "10";

10
nixos/system/desktop/home-manager.nix
View file

@ -84,13 +84,13 @@ in
};
home.git-pull = {
enable = mkDefault true;
enable = mkDefault false;
repositories = [
# krebs
{
source = "git@github.com:krebs/stockholm.git";
target = "~/dev/krebs/stockholm";
}
#{
# source = "git@github.com:krebs/stockholm.git";
# target = "~/dev/krebs/stockholm";
#}
{
source = "git@github.com:krebs/rc3-map.git";
target = "~/dev/krebs/rc3-map";

2
nixos/system/desktop/home-manager/ssh.nix
View file

@ -5,7 +5,7 @@ with lib; {
programs.ssh.enable = true;
programs.ssh.matchBlocks = {
"*" = {
identityFile = "~/.ssh/card_rsa.pub";
identityFile = "~/.ssh/palo_rsa.pub";
identitiesOnly = true;
};
"lassul.us" = {

21
nixos/system/desktop/sshd.nix
View file

@ -1,6 +1,17 @@
{ config, ... }: {
# make sure ssh is only available trough the tinc
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
'';
{ config, lib, ... }:
with lib;
let cfg = config.desktop.ssh.onlyTinc;
in {
options.desktop.ssh.onlyTinc = mkOption {
type = with types; bool;
default = true;
description = ''
make sure ssh is only available trough the tinc
'';
};
config = mkIf cfg {
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
'';
};
}